Perspectives on Strong Authentication
Damned if we (gov) don’t do it
● Corporate controlled or other government
controlled
● No effective recourse or accountability
● Challenges with recovery when lost - if they never
really knew you - how can they fix it?
● Authn services can be a party to every transaction
● UX and public perception
Damned if you do it - self provisioned
● One does not simply “self-provision” (U2F,
SmartPhone Apps for TOTP) - UX
● Challenges with recovery when lost -- who knows
you that can help you?
● We still need to bind your authentication to our
records related to you
7
Damned if we (gov) do it
● Protection / defense obligations are off-the-scale
● Low usage rates -- gov specific secrets forgotten
● Authn services can be party to every transaction
● If we verified your identity at our counter then we
do know you and can help recover lost / stolen --
but is that a bug or a feature?
● There are always users outside our borders -- we
can’t bring everyone to a registration counter
And lastly - lending problem when tied to benefits.